How to parse syslog messages in a syslog4j syslog server

Question

I want to parse syslog messages coming to a syslog server implemented in syslog4J. It is possible to do that in syslog4J?

What I want to do is to be able to segregate out various fields in syslog messages like hostname, timestamp, message, severity level etc. and make a uniform syslog pattern for future analysis.

This king of functionality is available in rsyslog or syslogNG.

SyslogServerConfigIF config = new TCPNetSyslogServerConfig("0.0.0.0", 1455);
config.setUseStructuredData(true);

SyslogServerIF syslogserver = SyslogServer.getInstance("tcp");
syslogserver.initialize("tcp", config);
syslogserver.run();

score 1 · Answer 1 · answered Mar 05 '14 at 15:42

Start with creating a new Event Handler class to handle the messages. Note that the parsing should be done in the event() method as that will be called for each syslog event.

public class SyslogMessageHandler implements SyslogServerSessionEventHandlerIF {

@Override
public void event(Object session, SyslogServerIF syslogServer, 
                  SocketAddress socketAddress, SyslogServerEventIF event) {
    // Simple parsing for Strings in the message
    if (!event.getMessage().contains(" msg=\"")) {
        Logger.getLogger(getClass().getSimpleName()).log(Level.INFO, event.getMessage());
    }

    // You can also build Objects and/or use Pattern/Matcher for parsing.
    MyHTTPLogInfo info = new MyHTTPLogInfo(event.getMessage());
    Pattern myPattern = Pattern.compile("^GET\\s+/([^\\s\\?]*)(\\?\\S*)?\\s+HTTP/1\\.\\d$");
    Matcher matcher = myPattern.matcher(info.getHttpRequest());
    if (matcher.matches()) {
        Logger.getLogger(getClass().getSimpleName()).log(Level.INFO, info.getMyCustomLogOutput());
    }
}

@Override
public void exception(Object session, SyslogServerIF syslogServer, SocketAddress socketAddress, Exception exception) {
    Logger.getLogger(getClass().getSimpleName()).log(Level.INFO, "exception()");
}

@Override
public Object sessionOpened(SyslogServerIF syslogServer, SocketAddress socketAddress) {
    Logger.getLogger(getClass().getSimpleName()).log(Level.INFO, "sessionOpened()");
    return new Date();
}

@Override
public void sessionClosed(Object session, SyslogServerIF syslogServer, SocketAddress socketAddress, boolean timeout) {
    Logger.getLogger(getClass().getSimpleName()).log(Level.INFO, "sessionClosed() {0}", session);
}

@Override
public void initialize(SyslogServerIF syslogServer) {
    Logger.getLogger(getClass().getSimpleName()).log(Level.INFO, "initialize()");
}

@Override
public void destroy(SyslogServerIF syslogServer) {
    Logger.getLogger(getClass().getSimpleName()).log(Level.INFO, "destroy()");
}

Finally register that new class as an EventHandler in the syslog4j config:

eventHandler = new SyslogMessageHandler(); config.addEventHandler(eventHandler);

Then you are ready to start testing and debugging your various formats and patterns :)

can you tell me what packages you need to import to make it work? — Ibrahim, Jun 23 '14 at 14:58

How to parse syslog messages in a syslog4j syslog server

1 Answers1